[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems configure access-lists

To: openldap-software@openldap.org
Subject: Problems configure access-lists
From: Andreas Dahlen <andreas@dahlen.ws>
Date: Tue, 16 Jan 2007 08:07:53 +0100
Content-disposition: inline
User-agent: Internet Messaging Program (IMP) H3 (4.2-cvs)

Hi!

I'm running OpenLDAP 2.3.19.

Our LDAP-structure is as below;

ou=admin,dc=example.dc=com
  cn=admlocal (objectclass=person)
  cn=admmaster (objectclass=simpleSecurityObject, organizationalRole)
ou=deps,dc=example.dc=com
  dep=dep1 (objectclass=locDep)
    cn=admin (objectclass=locAdmin)
    locId=ID11 (objectclass=locData)
    locId=ID12 (objectclass=locData)
    locUsr=USR11 (objectclass=locUser)
    .
    .
    .
  dep=dep2 (objectclass=locDep)
    cn=admuser (objectclass=locAdmin)
    locId=ID21 (objectclass=locData)
    locId=ID22 (objectclass=locData)
    locUsr=USR21 (objectclass=locUser)

Objectclasses locDep, locAdmin, locData and locUser are locally defined classes.

Everything works fine right now, but when I looked in sklapd.conf I saw a major configuration error; The access-lists states;

access to attrs=userPassword
        by dn="cn=admmaster,ou=admin,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="cn=admlocal,ou=admin,dc=example,dc=com" write
        by dn="cn=admmaster,ou=admin,dc=example,dc=com" write
        by * write

I wants to tighthen this security but I can't figure out how I should configure my access-lists.

* cn=admmaster,ou=admin,dc=example.dc=com
Should have full access to everything

* cn=admlocal,ou=admin,dc=example.dc=com
Should have full access to everything, except userPassword

* cn=<username>,dep=<dep>,ou=deps,dc=example.dc=com Should have full access to everything below its dep, i.e. - cn=admin,dep=dep1,ou=deps,dc=example.dc=com should have full access to everything below dep=deop1,ou=deps,dc=example.dc=com and read on dep=deop1,ou=deps,dc=example.dc=com. - cn=admuser,dep=dep2,ou=deps,dc=example.dc=com should have full access to everything below dep=dep2,ou=deps,dc=example.dc=com and read on dep=dep2,ou=deps,dc=example.dc=com.

The name of (class) locAdmin can be different in different deps.

I hope that I've managed to describe what I wants to achive.

/Andreas


----------------------------------------------------------------
This message was sent using IMP (http://www.horde.org).
Running on PHP 5.1.2, Apache 2.0.55, Ubuntu Dapper.

Prev by Date: object classes that can contain other objects
Next by Date: ppolicy and sync replication
Index(es):
- Chronological
- Thread